Scenario / Questions

On the Windows platform, what native options to I have to check if a port (3306, for example) on my local machine (as in localhost), is being blocked?

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

Since you are on the Windows machine, these things can be done,

  • Execute the following command and look for a “:3306” listener (you did not mention UDP/TCP). This will confirm there is something running on the port.

    netstat -a -n

  • After this, if you are expecting incoming connections on this port and feel that the firewall may be blocking them, you could start windows firewall logging and check the logs for dropped connections

    • Go to the Windows Firewall, Advanced settings
    • Click on the Settings button next to “Local Area Connection”
    • Select “Log dropped packets”
    • Look at the log file location (if not present define one)
    • Click OK
    • Now, when the connection attempt is made (assuming you know when this is done), look at the log file for a drop on port 3306.
    • If this is seen, you will want to add an exception for this port.
  • There is one more command to check the firewall state
    (Update for Windows 7 users — as referred by Nick below — use netsh advfirewall firewall)

    netsh firewall show state

    • this will list the blocked ports as well as active listening ports with application associations
  • This command will dump the Windows firewall configuration detail

    netsh firewall show config

If you have an active block (incoming connections are being dropped by firewall) after you start logging, you should see that in the log.

If you are running an application/service that is listening on 3306, the firewall config should show it to be Enabled. If this is not seen, you have probably missed adding an exception with the firewall to allow this app/service.

Finally, port 3306 is typically used for MySQL. So, I presume you are running MySQL server on this windows machine. You should therefore see a listener for 3306 accepting incoming connections. If you do not see that, you need to work with your application (MySQL) to get that started first.

Suggestion: 2

NETSTAT will tell you if the port is listening but it will not tell you if the port is open to the outside world. What I mean by this is that NETSTAT may show that the is LISTENING on port 3306 but a firewall may still be blocking that port which is preventing outside connections; so it isn’t sufficient to rely on NETSTAT alone.

The best way to check if a port is blocked is to do a port scan from the client machine.

There are many ways to do a port scan but since you mentioned being on Windows then I will suggest the Microsoft command line utility PortQry and the Graphical version PortQryUI

To test all open ports:

portqry.exe -n #.#.#.#   

To test a specific port:

portqry.exe -n #.#.#.# -e #

For example to test the Web interface of a router at

portqry.exe -n -e 80

Which returns:

TCP port 80 (http service): LISTENING

Where as testing on a local machine with no HTTPD running returns:

TCP port 80 (http service): NOT LISTENING

Using a PortScan utility you will get one of 3 results.

  • Listening means the server is listening on the specified port
  • Filtered means it received a TCP acknowledgement packet with the Reset flag set which likely indicates a firewall or software issue
  • Not Listening means it didn’t receive a response at all

telnet is another command line option that is usually installed on the OS by default. This command line utility can be used a quick way to see if a port responds to a network request.

To use telnet you would simply issue the following command from a command prompt:

telnet localhost 3306

The command above should give you a quick indication if the port 3306 on the localhost is responding.

Suggestion: 3

Since PowerShell 4.0 you can use the command Test-NetConnection

If you want to test Port 3306 as in your example the command is

Test-NetConnection -ComputerName localhost -Port 3306

TechNet Test-NetConnection documentation

Suggestion: 4

If you can telnet to the port from the local machine (using the external IP address), but not from another machine – then it is being blocked somewhere between.

Note that a firewall on your local machine could prevent even the first action.